The recent Facebook-Cambridge Analytica scandal made us realize how important strong data protection rules are for the society as a whole, including for the very functioning of the democratic process.
These and other developments have shown that the protection of privacy is crucial, both as an individual right and democratic imperative as well as economic necessity.
Without consumers’ trust in the way their data is handled, our data-driven economies will not thrive.
The General Data Protection Regulation, which entered into application on May 25, is the European Union’s response to these challenges and opportunities. It seeks to create a virtuous circle between better protection of privacy as a fundamental right, enhanced consumer confidence in the privacy and security of their data, particularly online, and economic growth.
Vera Jourova, European commissioner for justice, consumers and gender equality (European Commission)
While building on foundations that have been in place for more than 20 years, the GDPR contains important innovations. Many of these changes are particularly relevant to foreign companies doing business in Europe. They will now offer their goods and services in a harmonized and simplified regulatory environment. Instead of having to deal with 28 different data protection laws and 28 different regulators, one set of rules will apply and will be interpreted in a uniform way throughout the continent.
Obligations to notify data processing operations or obtain prior-authorization from data protection authorities will be scrapped. A number of key concepts are clarified and adapted to the needs of the digital economy. International data transfers from the EU will be simplified and facilitated. All this will mean increased legal certainty and a significant reduction in compliance costs and red tape.
The GDPR is also based on a modern approach to regulation, which rewards new ideas, methods and technologies to address privacy and data security. The principles of data protection “by design” and “by default” will create incentives to develop innovative solutions from the earliest stages of development.
The so-called “risk-based approach” means that companies that limit the level of risk of their processing operations will not be subject to a number of obligations. Co-regulatory tools, such as codes of conduct or certification mechanisms, are introduced to help companies in managing and demonstrating compliance. Last but not the least, new rights and safeguards, such as the right to portability or the notification of data breaches, will put individuals in better control of their data.
Empowering consumers means also ensuring that they feel safer and more confident when sharing their data.
These developments are of course not limited to Europe. Today, more than 120 countries from almost all regions of the globe have data privacy law in place. And many of the new or modernized laws tend to be based on common elements: a comprehensive legislation rather than sectorial rules, a set of enforceable rights, the setting up of an independent supervisory authority, et cetera. While improving the level of protection of personal data when transferred abroad, this developing convergence offers new opportunities to facilitate trade as well as cooperation between public authorities, both of which increasingly rely on the exchange of personal data.
The European Commission is committed to intensifying its dialogue with its international partners in this area, to promote and further develop elements of convergence between privacy regimes. This includes the possibility of adopting adequacy findings allowing unhindered data flows, as currently being discussed with Japan and South Korea.
Fostering convergence also means learning from each other through the exchange of experience and best practices. This type of dialogue is essential in our interconnected world if we want to address challenges that are increasingly global in nature and scope.
By Vera Jourova, European Commissioner for Justice, Consumers and Gender Equality